Problem/Motivation

sms_user automatically switches the authenticates a user based on the incoming recipient's number and switches the current user to that user. It also doesn't switch user if the authentication failed and doesn't provide any warning. This is inconsistent behavior, not very secure and also makes assumptions about what other modules would be doing (some modules may not want to switch user on an incoming SMS).

Proposed resolution

1. Add a setting that allows users to opt-out (or rather opt-in) to automatic user switching.
2. Consider removing also the automatic registration of a number which was not authenticated (could be a security issue too).

Remaining tasks

Discuss
Patch
Reviews
Commit

User interface changes

Added a setting to the /admin/smsframework/sms_user_options page to allow opt-in to automatic user switching.

API changes

sms_user_sms_incoming() will no longer switch to authenticated users. May affect some modules that depended on that behaviour.

CommentFileSizeAuthor
#2 2401699-2.patch5.47 KBalmaudoh
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

almaudoh’s picture

Priority: Major » Normal

This should not block the stable release.

almaudoh’s picture

Status: Active » Needs review
FileSize
5.47 KB

Ok, here's a patch that adds a setting to the SMS User Options to allow a user to turn on that behavior if needed. The default setting is off. This should address any exposures.

Consider removing also the automatic registration of a number which was not authenticated (could be a security issue too).

This behavior also has a switch already. So leaving as is.

almaudoh’s picture

Issue summary: View changes

Updated the issue summary.

  • almaudoh committed 28a8cfd on 7.x-1.x
    Issue #2401699 by almaudoh: sms_user_sms_incoming() should not...
almaudoh’s picture

Status: Needs review » Fixed

Committed / pushed to 7.x-1.x

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.